Products that can detect stealthy malware-based attacks aimed at cyber-espionage and data exfiltration should be considered a specialized area of the security market, according to research firm IDC, which has designated a new market category for them: "Specialized Threat Analysis and Protection."

STAP for short, this was not much more than a $200 million market worldwide last year, according to IDC, but it's expected to triple by next year and reach $1.17 billion by 2017. IDC is defining STAP as technologies that are primarily "signatureless," that is, not relying on malware signatures. These might include sandboxing, big data analytics and containerization to detect malicious activity.

And STAP products, whether they work on the network level, the endpoint or both, are scanning inbound and outbound traffic for anomalies, including botnet and command-and-control traffic that typically indicates a compromise. IDC says STAP products might also be used for reverse engineering and forensic analysis of discovered malware.

"Basically, enterprise security must constantly analyze all aspects of infrastructure for threats, assuming there is a compromise somewhere," says Phil Hochmuth, IDC program manager, security products.

STAP technologies work alongside traditional signature-based anti-malware and intrusion-detection and prevention systems (IDS/IPS), Hochmuth says. IDC expects that STAP will evolve a lot like the IDS/IPS market did, with enterprises deploying in a monitoring, "listening" mode at first and then move to a prevention model when "they're comfortable with the technology." IDC expects that STAP is going to become an important part of the "kill chain" concept of the advanced attack model, Hochmuth says.

Other vendors with recently introduced STAP technologies, sometimes embedded in their other security products, include AhnLab; Cognitive Security (acquired by Cisco); Cylance; Check Point Software with its Threat Emulation Blade; Fortinet; Mandiant; Intel's McAfee with its entry into sandboxing via the ValidEdge acquisition; EMC company RSA with its RSA Security Analytics (NetWitness Spectrum) and RSA Enterprise Compromise Assessment Tool. And finally, Websense, with its ThreatScope sandboxing, which the security firm now offers integrated into its Triton Enterprise gateways.

In fact, integration of STAP technologies into existing network, endpoint and content security products is expected to be commonplace going forward, IDC says. The incumbent security vendors are mostly seen as catching up to smaller STAP-focused providers, some new like Cylance but some around for several years, such as Damballa.

STAP is meant to detect zero-day attacks and data exfiltration by attackers, which can go on for weeks if not years. IDC believes STAP products today are used to augment more traditional network security and endpoint security products,. Early adopters are large financial institutions, large government agencies and large enterprises with "acute data protection requirements."

"Among enterprises, it appears extra budget is being allocated for STAP technology, as opposed to shifting spend to STAP from other solutions," an IDC report notes. IDC expects this trend to continue, saying it could help STAP-focused vendors grow while not directly competing with other parts of the security market, such as anti-virus. But IDC also cautions that STAP vendors will have to show they can somehow stay ahead of the attackers, who may use clever "sleep" techniques on malware, for example, to counteract STAP technologies such as sandboxing.

Will security vendors and customers start regularly using the expression STAP, which was coined by IDC earlier this year? That's unclear but IDC expects to continue keeping the running count going on how STAP evolves in its future reports on this market segment.

Latest Videos

​Email fraud is nothing new, but online criminals have become ever more-effective at spoofing their identities to trick employees into sending them money. The Australian Centre for Cyber Security (ACSC) recorded losses of over $20M to business email compromise (BEC) attacks last year alone, up 230 percent over the previous year – and the full amount is certain to be much larger.​

No matter how robust your security, or how diligent your employees, network credentials are a free pass for cybercriminals. This is mostly because employees are relied upon for their own password management. And with more than 4.8 billion sets of stolen credentials said to be available online, odds are that at least a few of your employees’ user IDs and passwords are just waiting to be used by unscrupulous outsiders. Are you ready to stop them?

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.